Security in Wireless LANs
Download
Report
Transcript Security in Wireless LANs
Security in Wireless LANs
Presented by Raquel S.
Whittlesey-Harris
6/25/02
Contents
Wireless LANs, An Overview
Security Threats
Basic Definitions
HIPERLAN
802.11
Solutions
References
7/17/2015
2
Wireless LANs, An Overview
What is Wireless Local Area Network
technology (WLAN)?
A wireless (w/o wired cables) data
communication system that uses shared radio
waves or infrared light to transmit and receive
data
Provides freedom and flexibility to connect to a
network or internet w/o being physically
connected with a cable or modem
7/17/2015
3
Wireless LANs, An Overview
Communication is via air, walls, ceilings and
cement structures (throughout or between
buildings)
Can alleviate network deployment costs
Solve some installation problems of older structures
(asbestos)
Essentially an unlimited number of points for attacking
We will take a look at two standards
IEEE’s 802.11
ETSI’s HIPERLAN
7/17/2015
4
Wireless LANs, An Overview
Peer-to-Peer (Adhoc)
Wireless devices have no access point
connection and each device communicates with
each other directly
7/17/2015
5
Wireless LANs, An Overview
Client/Server (infrastructure networking)
Extends an existing wired LAN to wireless
devices by adding an access point (bridge and
central controller)
7/17/2015
6
Security
What is a secure environment?
No system is 100% secure
Generally applications, industries apply
their own set of security tolerances
7/17/2015
E.g., DHHA (Department of Health and Human
Services) has created a set of rules called the
HIPAA (Health Insurance Portability and
Accountability Act) to regulate the use and
discloser of protected health information
7
Security Threats
Denial-of-Service
The system or network becomes unavailable to
legitimate users or services are interrupted or delayed
(due to interference)
Equipment can be purchased from electronic stores
easily and prices are reasonable
Protection is expensive and difficult
Only total solution is to have the wireless network inside of the
faraday cage (applicable in rare cases)
Easy however to locate the transceiver used to
generate the interference
7/17/2015
8
Security Threats
Interception/Eavesdropping
(confidentiality)
Identity of a user is intercepted for use later to
masquerade as a legitimate user
Data stream is intercepted and decrypted for the
purpose of disclosing private information
Radio band transmissions are readily intercepted
There is no means to detect if a transmission has
been eavesdropped
Strong encryption is necessary to keep the contents
of intercepted signals from being disclosed
7/17/2015
9
Security Threats
The frequency band and transceiver power has a great
effect on the range where the transmission can be
heard
2-5 MHz radio band and 1 W transceiver power
W/o electromagnetic shielding the network transmissions may be
eavesdropped from outside of the building for which the network
is operating
Manipulation
Data has been compromised
Inserted, deleted or otherwise modified
Can occur during transmission or to stored data
E.g., a virus
7/17/2015
10
Security Threats
Masquerading
The act of an adversary posing as a legitimate user in
order to gain access to a wireless network or system
served by the network
Strong authentication is required to prevent such
attacks
Repudiation
User denies performing an action on the network
Sending a particular message
Accessing the network
Again strong authentication of user’s is required,
integrity assurance methods, and digital signatures
7/17/2015
11
Security Threats
Transitive Trust
Intrusion by fooling the LAN to trust the mobile
controlled by the intruder
Authentication again important
Infrastructure
These attacks are based on weaknesses in the system
Software, configuration, hardware failure, etc.
Protection almost impossible
7/17/2015
Best to just test the system as thoroughly as possible
12
Summary – Security Threats
Denial-of-Service
Interception/Eavesdropping
Manipulation
Masquerading
Repudiation
Transitive Trust
Infrastructure
7/17/2015
Faraday Cage
Encryption techniques
Authentication
Authentication
Authentication,
integrity assurance,
digital signatures
Authentication
Thorough Testing
13
Basic Definitions
Confidentiality
Integrity
Are you communicating with whom you think?
Is the data you are looking at correct or has it been
tampered with?
Availability
Are you the only one who is viewing information
specific to you or authorized users?
Are the required services there when you need them?
Authentication
Are you who you say you are?
7/17/2015
14
HIPERLAN
Developed by the European Telecommunications
Standards Institute (ETSI)
Similar to 802.11
HiperLAN/1
Provides communications up to 20 Mbps in the 5-GHz
range of the radio frequency spectrum
HiperLAN/2
Provides communications up to 54 Mbps in the same
FR band
Compatible with 3G WLAN systems (data, images,
voice)
7/17/2015
15
HIPERLAN
Defines the MAC sublayer, Channel Access
Control (CAC) sublayer and the physical
layer
Currently the defined physical layers use 5.15 –
5.30 GHz frequency band and supports
Up to 2,048 Kbps synchronous traffic
Up to 25 Mbps asynchronous traffic
7/17/2015
16
HIPERLAN
Properties
Provides a service that is compatible with the ISO MAC service
definition in ISO/IEC 15 802-1
Compatible with the ISO MAC bridges specification ISO/IEC 10
038 for interconnection with other LANS
Ad-hoc or arranged topology possible
Supports mobility
May have coverage beyond the radio range limitation of a single
node
Supports asynchronous and time-bounded communication by
means of a Channel Access Mechanism (CAM) – priorities provide
hierarchical independence of performance
Power Management
7/17/2015
17
HIPERLAN
Defines an optional encryption-decryption
scheme
All HM-entities (HiperLAN MAC) use a common set
of shared keys (HIPERLAN key-set)
Plain text is ciphered by XOR operation with
random sequence generated by a confidential
algorithm
7/17/2015
Each has a unique key identifier
Uses the secret key and an initialization vector sent in
every MPDU (MAC Protocol Data Unit) as input
18
HIPERLAN
HiperLAN does not define any kind of
authentication
7/17/2015
19
802.11
Defined by IEEE to cover the physical layers
and MAC sublayers for WLANs
3 physical layers
Frequency Hopping Spread Spectrum (FHSS)
Direct Sequence Spread Spectrum (DSSS or DS-CDMA)
Baseband Infrared
DSSS is mostly used since FHSS cannot support
high speeds without violating FCC regulations
All physical layers offer2 Mbps data rate
Radio uses 2,400 – 2,483.5 MHz frequency band
MAC layer is common to all physical layers
7/17/2015
20
802.11
802.11 implementation
7/17/2015
21
802.11
Properties
Supports Isochronous and Asynchronous
Supports priority
Association/Disassociation to an AP in a BSS or ESS
Re-Association or Mobility Management to transfer of association
from one AP to another
Power Management (battery preservation)
Authentication to establish identity of terminals
Acknowledgement to ensure reliable wireless transmission
Timing synchronization to coordinate the terminals
Sequencing with duplication detection and recovery
Fragmentation/Re-assembly
7/17/2015
22
802.11
Defines two authentication schemes
Open System Authentication
All mobiles requesting access are accepted
Shared Key Authentication
Uses shared key cryptography to authenticate
7/17/2015
23
802.11
7/17/2015
24
802.11
Optional Wired Equivalent Privacy (WEP)
mechanism
Confidentiality and Integrity of traffic
Station-to-Station
No end-to-end security
Integrity Check (ICV)
Implements RC4 PRNG[8] algorithm
40 bit secret key
24 bit initialization vector (IV)
7/17/2015
25
802.11
RC4
Input: IV, Random Key, Plaintext
IV and key is input to E keystream output
Keystream output is XORed with plain text ciphertext
Keystream output is also fed back to I (to cause a variation as a function
of IV and key); must not use same keystream twice
IV sent as an unencrypted part of the ciphertext stream (integrity must
be assured)
7/17/2015
26
802.11
RC4
Supports variable length keys
Most commonly used are 40 bits for export controlled systems and 128 bits for
domestic applications
128 bit encryption (104 bits key)
Standard does not specify key management or distribution
Provide a globally shared array of 4 keys
Supports an additional array that associates a unique key with each user
station
7/17/2015
27
802.11
RC4
A CRC32 bit stream is appended to the plaintext message to
provide integrity
Does not ensure cryptographic integrity
7/17/2015
28
802.11
Vulnerabilities and Weaknesses
Authentication
Authentication and an association (binding between the station
and access point (AP)) is required before transmission
States
Unauthenticated & unassociated
Authenticated & unassociated
Authenticated and associated
Two authentication methods mentioned earlier
7/17/2015
Open System Authentication (OSA)
Shared Key Authentication
29
802.11
OSA
Default authentication method
Two management frames exchanged
Station station MAC address, identifier (authentication
request) AP
AP status field (authentication success or failure)
Authenticated and unassociated
Two frames to establish association
Most vendors implement a wireless access control mechanism
based on examining the station MAC address and blocking
unwanted stations from associating
7/17/2015
Requires that a list of authorized MAC addresses be loaded on
each AP
30
802.11
OSA Weaknesses
Loading and identifying MAC addresses is
manually intensive
Snoopers can get valid MAC addresses and
modify a station to use the valid address
Potential to create problems with 2 addresses using
the network at the same time
7/17/2015
31
802.11
Shared Key Authentication
Uses the optional WEP algorithm along with a
challenge response system to mutually
authenticate a station and an AP
APs beacon (announce presence)
Station beacon (AP address)
Station management frame (seq #1) AP
AP authentication challenge (seq #2) Station
7/17/2015
Psuedo-random number + shared key + random IV
Unencrypted
32
802.11
SKA
Station challenge
AP frame
7/17/2015
Copies into a new frame which is encrypted (WEP)
Shared key, new IV
AP
Decrypts,
Checks CRC32
Checks challenge
Repeat to authenticate the AP
33
802.11
7/17/2015
34
802.11
Shared Key Authentication Weaknesses
Snoopers monitor the second (unencrypted
challenge) and third (encrypted challenge)
exchanges
7/17/2015
Plaintext of the original frame including the random
challenge
Encrypted frame containing the challenge
IV used to encrypt the challenge
XOR of plaintext, ciphertext keystream to
encrypt the challenge response frame
35
802.11
Snooper does not have shared secret key
but with keystream can enter the network
7/17/2015
Requests authorization to the network
AP sends new challenge (new IV)
Compute a valid CRC-32 checksum
Encrypts the challenge with the keystream
acquired earlier
Appends IV used and sends the frame
Further penetration cannot be achieved
without the proper secret key
36
802.11
RC4 Encryption
WEP does not implement a secure version of RC4 and
violates several other cryptographic design and
implementation principles
Suggestions have been made to not only increase the key sizes
and strengthen key management,
7/17/2015
Replace encryption algorithm
Addition of a session key derivation algorithm
Lengthening the IV to 128 bits
Adding a sequence number in dynamic keyed implementations
Addition of 128 bit cryptographic integrity check
Additional encryption of other payload elements
37
802.11
Interception
802.11 specifies three physical layers,
Infrared (IR)
Frequency Hopping Spread Spectrum (FHSS)
Direct Sequence Spread Spectrum (DSSS)
Broadcasts 900 MHz, 2.4 GHz, 5 GHz
Commercial wireless devices is readily capable of
receiving all signals
It is also fairly simple to modify the device drivers or
flash memory to monitor all traffic
7/17/2015
38
802.11
Keystream Reuse
Standard recommends but does not require changing
the IV for every frame transmitted
No guidance is provided for selecting or initializing the IV
Two packets using the same IV and key allows a
snooper to discover plaintext
The XOR of two ciphertexts the XOR of two plaintexts
Knowing one plaintext is all it takes
Berkeley indicates that some PCMCIA cards reset the
IV to zero when initialized and then increment the IV
by one for each packet transmitted
7/17/2015
39
802.11
Standard specifies the size of the IV field to be 3 octets
(24 bits)
IV will rollover mode 24
Since MAC frames range in size from 34 bytes to 2346 bytes
Reused after 224 packets
Min rollover occurs at 224 x 34 bytes (570 MB)
Max rollover occurs at 224 x 2346 bytes (40 GB)
Berkeley indicates a busy AP will rollover in about a half of a
day operating at half capacity
Reading the IV is trivial since it is transmitted
unencrypted
7/17/2015
40
802.11
Integrity Assurance
The ICV (Integrity Check Value)
Plaintext is concatenated with the ICV to form the
plaintext to be encrypted
CRC32 – linear function
Possible to change 1 or more bits in the original plaintext
and predict which bits in the CRC32 checksum to modify
Checksum is performed over the entire MAC packet
Includes higher level protocol routing address and port
fields (can redirect message when changing IP
address)
32 bits (4 octets) in MAC frame
7/17/2015
41
Solutions
IEEE is working on upgrade of security standard
Vendors can implement key management
(external to the standard)
Limits choices (interoperability)
VPN (Virtual Private Network)
Provides a secure and dedicated channel over an untrusted network
Provides authentication and full encryption
7/17/2015
42
Solutions
A solution
Requirement – seamless integration into
existing wired networks
link layer security is selected over end-to-end
(machine-to-machine)
Requirement – two-way authentication
Requirement – flexibility to utilize the future
advances in cryptography
7/17/2015
43
Solutions
Authentication – public key cryptography
Certificates contain
Mobile {Cert_Mobile, CH1, Kist of SKCSs} Base
{serial number, validity period, machine name, machine public
key, CA name}
CH1 is a random generated number
SKCSs is transmitted to negotiate algorithm used
Algorithm and key size are transmitted in list
Base verify signature on Cert_Mobile
7/17/2015
Proves the public key in the certificate belongs to a certified
mobile host
Not sure if the certificate belongs to the mobile
If certificate is invalid
Reject connection
44
Solutions
Base {Cert_Base, E(Pub_Mobile, RN1), Chosen SKCS,
Sig(Priv_Base, {E(Pub_Mobile, RN1), Chosen SKCS, SH1, List
of SKCSs}} Mobile
Mobile validates Cert_Base, verify signature of message
(using public key of Base)
Save RN1 for later use
Chosen SKCS is most secure from those supported by both
If CH1 and List of SKCS match those sent by mobile to base
Authenticate base
Mobile {E(Pub_Base, RN2), Sig{Priv_Mobile,{E(Pub_Base,
RN2), E(Pub_Mobile, RN1)}}} Base
7/17/2015
RN2 is randomly generated by mobile
RN1 XOR RN2 is used as a session key for all communications
remaining
45
Solutions
Base verifies the signature of the message using
Pub_Mobile
Session key formed in two parts sent in different
messages for better protection
Authenticate mobile if valid
Decrypt E(Pub_Base, RN2) with private key
Form session key RN1 XOR RN2
Compromising the private key does not compromise the traffic
Need to know both RN1 and RN2
These transactions are to occur at the MAC layer prior
to network access
7/17/2015
46
Solutions
7/17/2015
47
Solutions
Confidentiality can be achieved using an existing
symmetric cryptography algorithm
IDEA – International Data Encryption Algorithm
DES – Data Encryption Standard
Uses Block Cipher with a 128-bit key
Private key encryption (72 quadrillion possible keys)
Restricted for exportation by US Government
Shared key is agreed using mechanism above
Integrity can be achieved using a fingerprint generated
by a one-way hash function
MD5
SHA
7/17/2015
48
Solutions
Key Change Protocol
Initialized by base or mobile
E.g.,
Base Signed(Priv_Base,{E(Pub_Mobile, New_RN1),
E(Pub_Mobile,RN1) }) Mobile
Mobile Signed(Priv_Mobile,{E(Pub_Base, New_RN2),
E(Pub_Base, RN2) }) Base
New RN1 XOR RN2 value is used
7/17/2015
49
Solutions
Key Management
One possible solution is to use the smart card
technology
7/17/2015
CA creates the private and public keys inside the smart
card
Private key never readable from card
CA signs the public key with his private key and stores the
public key to the smart card
Smart card is given to the end user to use in any wireless
LAN mobile
50
References
Uskela, Sami, Security in Wireless Local Area Networks,
Department of Electrical and Communications
Engineering, Helsinki University of Technology, December
1997
Mahan, Robert, Security in Wireless Networks, SANS
Institute, November 2001
Laing, Alicia, The Security Mechanism for IEEE 802.11
Wireless Networks, SANS Institute, November 2001
Ellingson, Jorgen, Layers One & Two of 802.11 WLAN
Security, SANS Institute, August 2001
7/17/2015
51
References
Fidler, Beau, Mobile Medicine. SANS Institute, August 2001
Hurley, Chad, Isolating and Securing Wireless LANs, SANS Institute,
October 2001
Conn, Dale, Security Aspects of Mobile IP, SANS Institute, December
2001
Voorhees, James, The Limits on Wireless Security: 802.11 in early
2002, SANS Institute, January 2002
McAleer, Sean, A Defense-in-Depth Approach for Securing Mobile
Devices and Wireless LANs, SANS Institute, January 24, 2001
Ow, Eng Tiong, IEEE 802.11b Wireless LAN: Security Risks, SANS
Institute, September 2001
7/17/2015
52